Privacy Policy Statements and Information Collection
Frequently Asked Questions

(Q1) I'm just a Web author. Why do I have to worry about all this stuff?

Answer: If your Web site is available to the public, it represents the United States Government and the Department of Commerce.

(Q2) How do we define "pages where information is collected"?  Shouldn't that be any page where "personally identifiable information" is collected?

Answer: No! For purposes of the Web site Privacy Policy statement there is no difference based on whether the information is personally identifiable.  The United States Office of Management and Budget (OMB) requires Web site Privacy Policy statements to include a disclosure about how they deal with any information that is collected!  For more on this, check the June 1, 1999, OMB Guidance and Model Language for Federal Web Site Privacy Policies. OMB guidance and note particularly the sample statement on "Information Collected and Stored Automatically" on page three.  This indicates that OMB considered information such as IP addresses and domain names to be "information collection" that must be disclosed in the Privacy Policy statement.

(Q3) Does this mean that every page on our Web site must have a link to our Privacy Policy statement?

Answer: No!  For example, if the only information gathered on a particular Web page is log data like that collected by most Web servers, then that particular page  would not be required to have a link to the Privacy Policy statement (See Exceptions to this policy). On the other hand, if you are asking the user to provide you with specific information such as the type of business they are in, or their name, address, phone number, etc. then a link would be required on the particular page that collects that information.

(Q4) Why doesn't the Department of Commerce just follow the OMB guidance and the Privacy Act requirements?

Answer:   We do.  However, as the Discussion section indicates, the DOC policy on Privacy Policy Statements and Information Collection is designed to meet the requirements of multiple enactments and executive directives. The policy combines all of these mandates into a single set of rules which cover most situations. If after reading the Discussion section of the policy you believe you need further guidance regarding the Privacy Act and Paperwork Reduction Act, you should contact your agency's Privacy Officer or Paperwork Reduction Officer.

(Q5) I found a very clear Privacy Policy statement at another Web site. Why can't I just put a link to that statement on my Web site?

Answer:  Maybe you can.  It depends.  First, you have to make sure that the Privacy Policy statement accurately describes the privacy policies of your Web site and you have to check it regularly because it might change.  Also, it is preferable not to link to Privacy Policy statements outside your own agency or Operating Unit because your Operating Unit has no control over them.

(Q6) What is this requirement regarding information children may provide?

Answer:  The Children's Online Privacy Protection Act (COPPA), effective April 21, 2000, applies to the online collection of personal information from children under 13. There are rules that spell out what a Web site operator must include in a Privacy Policy, when and how to seek verifiable consent from a parent, and what responsibilities an operator has to protect children's privacy and safety online. The FTC says that if you operate a "general audience" Web site and have actual knowledge that you are collecting personal information from children, you must comply with the Children's Online Privacy Protection Act.

(Q7) If children see my Web site, do I have to include something specifically about children in our Privacy Policy statement?

Answer:  It depends.  If your Web site is directed toward children or you are knowingly collecting information from children, then your Privacy Policy statement must disclose how you use and handle that information. Where (and if) your site collects information about children, you must provide a way for parents to review the data that is collected.  However, parental consent is not required if your site is merely collecting an email address in order to make a one-time response to an inquiry from a child.  If you have further questions about how to implement this part of the standard you should contact the Office of the General Counsel (202-482-5391) for specific guidance.

To learn more about COPPA, check out the on-line guidance prepared by the Federal Trade Commission staff.

(Q8) What else do I have to worry about?

Answer:  There are certain situations in which information collected by a Department Web site might have to be disclosed.  These involve 1) Freedom of Information Act requests, and 2) possible disclosure of information in connection with legitimate law enforcement activity. The Freedom of Information Act (FOIA, 5 U.S.C. § 552) was enacted in 1966 so that the people of the United States would have access to federal agency records that were not already publicly available. Under FOIA, any person can obtain government records (information) merely by making an appropriate request to the agency's FOIA Office, as long as the records are not covered by one of the nine narrow FOIA exemptions. It is therefore possible that email, computer log data, or other information collected by a Web site could be the object of a valid FOIA request, thus requiring its disclosure.

Secondly, if your Web site is hosted by another organization, you may not be aware that the server on which your Web site resides almost certainly employs software programs which log data for routine administrative and security purposes. These programs monitor network traffic,gather usage statistics, and collect data which can be used to detect and track unauthorized attempts to upload or change information or otherwise cause damage.  How long this information is retained depends on how your Web server is administered, but it could be retained for some time, for example in backup files. It could also be used in a legitimate law enforcement investigation of misuse of or damage to government computer systems.

Disclosure of Web site information under FOIA or because of law enforcement activity is relatively rare, but your Privacy Policy statement should not say anything that would lead visitors to believe it could never happen.

Department of Commerce Web Advisory Council (WAC)
U.S. Department of Commerce

Send questions and comments about this page to WAC@doc.gov
Page last updated October 12, 2010